devise-jwt 0.5.4 → 0.5.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 32fe8c3c030561e41ec59fdd1c8b908383f6b17a
-  data.tar.gz: 4e6963a574f5b2ce85348c6cf7d517012d8211c5
+  metadata.gz: 57b63a9ada186b91ddf11b892501aabae2f4492d
+  data.tar.gz: fa3f300ec74e2486c89a8c1a43ddd5e2cf7de9dd
 SHA512:
-  metadata.gz: 71cf006f402864377c0beb7651034b23aacb0e8d9f69843f6b2a32226a0e28b3ef574e608dde454e9d9bacb0bfc65467d07fd11b815a0d716c42921ec3bb82f4
-  data.tar.gz: a1d2488ef35b9943ddcb071b4ead6f5f9392e52027d26323e5af75c52d6c03534f9b566ac955d3f12020360c7e8b163bf8656a637804f29dd98367439c9ea880
+  metadata.gz: a3266cc44d2018dba06637e32ddc38c7d03a10d51db4c2417e3c4fd7efa4972bbc62e85176fab2b69aadebf5be34ade00685d32f08e609c0782fa16b288db74d
+  data.tar.gz: 6b633a9f667ee171e4b7c874ccbd321959b91c3581cc92c63a2d599ac9aa67db4eaff2088d5b3c0d725b3498fa6fc480917af85509785dae1d4f4ef1419baa42

data/CHANGELOG.md

@@ -4,6 +4,11 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/) 
 and this project adheres to [Semantic Versioning](http://semver.org/).
 
+## [0.5.5] - 2018-01-30
+### Fixed
+- Update `warden-jwt_auth` dependency to reenable JWT scopes being stored to
+  the session and inform the user.
+
 ## [0.5.4] - 2018-01-09
 ### Fixed
 - Update `warden-jwt_auth` dependency to allow a JWT scope to be fetched from

data/README.md

@@ -26,7 +26,7 @@ You can read about which security concerns this library takes into account and a
 Add this line to your application's Gemfile:
 
 ```ruby
-gem 'devise-jwt', '~> 0.5.4'
+gem 'devise-jwt', '~> 0.5.5'
 ```
 
 And then execute:
@@ -111,6 +111,42 @@ config.middleware.insert_before 0, Rack::Cors do
 end
 ```
 
+#### Session storage caveat
+
+If you are working with a Rails application that has session storage enabled
+and a default devise setup, chances are that same origin requests will be
+authenticated from the session regardless of a token being present in the
+headers or not.
+
+This is so because of the following default devise workflow:
+
+- When a user signs in with `:database_authenticatable` strategy, the user is
+  stored in the session unless one of the following conditions is met:
+  - Session is disabled.
+  - Devise `config.skip_session_storage` includes `:params_auth`.
+  - [Rails Request forgery
+    protection](http://api.rubyonrails.org/classes/ActionController/RequestForgeryProtection.html)
+    handles an unverified request (but this is usually deactivated for API
+    requests).
+- Warden (the engine below devise), authenticates any request that has the user
+  in the session without even reaching to any strategy (`:jwt_authenticatable`
+  in our case).
+
+So, if you want to avoid this caveat you have two options:
+
+- Disable the session. If you are developing an API, probably you don't need
+  it. In order to disable it, change `config/initializers/session_store.rb` to:
+  ```ruby
+  Rails.application.config.session_store :disabled
+  ```
+  Notice that if you created the application with the `--api` flag you already
+  have the session disabled.
+- If you still need the session for any other purpose, disable
+  `:database_authenticatable` user storage. In `config/initializers/devise.rb`:
+  ```ruby
+  config.skip_session_storage = [:http_auth, :params_auth]
+  ```
+
 ### Revocation strategies
 
 `devise-jwt` comes with three revocation strategies out of the box. Some of them are implementations of what is discussed in the blog post [JWT Revocation Strategies](http://waiting-for-dev.github.io/blog/2017/01/24/jwt_revocation_strategies/), where I also talk about their pros and cons.
@@ -311,9 +347,9 @@ end
 
 ### Testing
 
-Models configured with `:jwt_authenticatable` can't be retrieved from the
-session. For this reason, `sign_in` devise testing helper methods won't work as
-expected.
+Models configured with `:jwt_authenticatable` usually won't be retrieved from
+the session. For this reason, `sign_in` devise testing helper methods won't
+work as expected.
 
 What you need to do in order to authenticate test environment requests is the
 same that you will do in production: to provide a valid token in the

data/devise-jwt.gemspec

@@ -22,7 +22,7 @@ Gem::Specification.new do |spec|
   spec.require_paths = ["lib"]
 
   spec.add_dependency 'devise', '~> 4.0'
-  spec.add_dependency 'warden-jwt_auth', '~> 0.3.4'
+  spec.add_dependency 'warden-jwt_auth', '~> 0.3.5'
 
   spec.add_development_dependency "bundler", "~> 1.12"
   spec.add_development_dependency "rake", "~> 10.0"

data/lib/devise/jwt/version.rb

@@ -2,6 +2,6 @@
 
 module Devise
   module JWT
-    VERSION = '0.5.4'
+    VERSION = '0.5.5'
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: devise-jwt
 version: !ruby/object:Gem::Version
-  version: 0.5.4
+  version: 0.5.5
 platform: ruby
 authors:
 - Marc Busqué
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2018-01-09 00:00:00.000000000 Z
+date: 2018-01-30 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: devise
@@ -30,14 +30,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.3.4
+        version: 0.3.5
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.3.4
+        version: 0.3.5
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement